As we kick-off 2019, many of you are probably doing a vendor performance analysis based on other criteria. This is a great time to ensure you aren’t risking your EPHI data by choosing the wrong vendors. Here are eight questions that can help you do an initial assessment.

#1 Who within your organization will have access to the data and how is that controlled? Credentials management is essential. Too many organizations don’t enforce credentials management best practices such as limiting access and removing credentials promptly when someone leaves the organization.

#2 How frequently do you audit activity logs, and is that process manual or have you automated it? How frequently logs should be audited depends on the level of risk, but an automated process is more likely to detect anomalies.

#4 What are the details of your disaster recovery plan? If their availability affects your availability, that could be a problem.

#5 If the data exists in electronic format at their facility: What cybersecurity solutions have you implemented?

#6 Do you have someone within your organization who is specifically tasked with security and compliance? If it’s an internal person, they should be fairly high up in the organization and not a technician wearing several hats. If the individual(s) are external, look at what level of access they have to your data.

#7 What protocols do you have in place for responding to a breach? They should notify you promptly if they suspect your data has been compromised as it is still your obligation to notify HHS.

#8 If we were audited, what kinds of proof could you provide to help support our joint adherence to HIPAA?

Demand Proof

These questions will get you started and can help you identify business associates who may put your data at risk even with a signed agreement. Don’t Walk. Run from those vendors.

If your vendor passes the initial nine questions, you may want to do a deeper audit. Again, this depends on to what level leveraging this vendor puts your EPHI at risk. Vendors like Connectria that house clients’ EPHI on their systems or remotely manage systems that contain EPHI data should be able to provide validated proof of an external audit by a third-party provider. (Internal self-audits are not enough when there is this much data contact.) If they can’t, it’s time to find a new business partner.